Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

alert on deleted data

troywollenslege
Path Finder
‎03-20-2012 01:39 PM

Trying to look through the _internal logs in realtime to fire an alert if anyone tries to delete files with | delete

All searches I try will find the search itself (thus always firing).

Thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:36 AM

Put a crazy string in your search, like so:

 index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw

This will prevent your search from showing up in the results.

You might want to refine it a big using a regex to look for | delete, |delete, | delete, etc.

View solution in original post

Reply
Solved! Jump to solution

awjohnson
Explorer
‎03-25-2014 10:38 AM

This is the search I'm running to monitor for delete attempts:

index=_audit sourcetype=audittrail "|" "delete" NOT "search='search index=_audit"

I'm searching the index of _audit and the sourcetype of auditrail for | and delete. Then so that my searches for delete activity do not generate alerts, I exclude searches of searches that include delete.

0 Karma
Reply
Solved! Jump to solution

troywollenslege
Path Finder
‎03-21-2012 11:09 AM

Thx. I was using _internal, audit seems to work better;

index=_audit "action=search" search="*delete'" | table user info search
This is the search that I am going to run, seems to work with the caviot that there may be some false positives, which I am ok with.

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:36 AM

Put a crazy string in your search, like so:

 index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw

This will prevent your search from showing up in the results.

You might want to refine it a big using a regex to look for | delete, |delete, | delete, etc.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-20-2012 10:17 PM

In 4.3 -

You can do the realtime alert on a rolling window, which gives you the opportunity to set a custom condition. In the custom condition, test for _time != now()

"now" is the time that the search started...

I am not sure that this will work, but I think it should...

0 Karma
Reply
Solved! Jump to solution

troywollenslege
Path Finder
‎03-21-2012 09:22 AM

Maybe wasn't clear. I can do the search the problem is that when I search for someone deleting data, the search itself is found. So i woudl get alerted every time.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...